1.2 Overview of IoT Cloud Server Security Issues

In part one of this video series, we will look at the security issues that arise when an attacker eavesdrops on the data exchange between a cloud server and an IoT device. We will also briefly explore the standard practices used to address these security issues. The internet of things applications growing and evolving rapidly, more and more services and applications are connected to the cloud. In most of these applications, a resource-constrained device connects to the cloud server over the internet to transmit and receive data or information continuously.
As a typical IoT device is resource-constrained, information is exchanged in plain text. For most of the IoT applications, this information is the most valuable component. It's very easy for an unauthorized or undesired person to eavesdrop on this valuable information due to which data exchange is no longer confidential. To ensure data confidentiality, while information is exchanged between server and client, encryption is commonly used.
Using encryption, the transmitter converts the confidential information into seemingly random bytes with the help of a secret key before sending over the internet. Only the receiver has the means that is the secret key to convert these random bytes or encrypted data back into the original data. We will look at encryption in more detail in part two of this video series.
We have learned that with encryption, we can preserve the confidentiality of data while communicating with the server over the internet. But encryption alone will not guarantee that data is secure. If an eavesdropper has access to the information transferred over the internet, it can be modified, even if this information is encrypted. If done smartly, it is possible that the modifications are not detected. This results in loss of data integrity.
To ensure data integrity, hashing is the most commonly used method. This is achieved by the transmitter converting a variable length data into random bytes of fixed length. The actual data and these random bytes are sent over the internet. After receiving this information, the receiver also converts the variable length data into random bytes using the same method that was used at the source.
The random bytes calculated by the receiver match those that were sent. Then the receiver knows that the data has not been tampered with. If they don't match, then someone tampered with either the data or the random bytes, and the receiver knows that the information cannot be trusted.
We will cover hashing in more detail in part three of this tutorial. We have learned that with encryption and hashing, we can preserve the confidentiality and integrity of data while communicating with the server over the internet. How can the IoT device trust that the server it is trying to communicate with is indeed who it claims to be? There is a risk that an attacker could manipulate the messages between the server and client and pretend to be the server to which the IoT device is trying to communicate with.
By gaining access to any data, the attacker could cause significant trouble, even if this data is encrypted and hashed. For example, the attacker could inject random data that could introduce noise in an audio system. Or the attacker can reuse old encrypted and hashed data that could have an unintended effect now. Hence, it is imperative that the IoT verifies the authenticity of the server before it starts exchanging valuable information. A common method used to authenticate a server is to request and verify the TLS or SSL certificate of the server. We will cover TLS/SSL certificates and how they help in authenticating a server in more detail in part four of this tutorial.

Details

Date:
January 18, 2016

In this video, we will look at the different security issues that could arise when an attacker eavesdrops on the data exchange between an IoT device and a cloud server. We will also briefly explore the standard practices used to address these security issues. The remaining three parts will explain in more detail the standard methods that can be used to address these security issues.